Online Privacy In India
[These are my notes from a class I took in my masters and also some thoughts from a friend on the same.]
The fundamental right to privacy was not recognized until recently. While the father of the constitution, B.R. Ambedkar asks for something along the lines of privacy in the first draft of the constitution, there was no such thing in it. In MP Sharma vs Satish Chandra, an 8 judge bench, said that there is no fundamental right to privacy. In Kharak Singh vs State of UP, another bench says that there is no fundamental right to privacy but Kharak Singh’s privacy was being violated. Puttaswamy Judgement circa 2017, in which puttaswamy raised an issue regarding aadhar’s safety in the supreme court, was concluded by a 9 judge bench declaring that the right to privacy is a fundamental right. India given its sheer size is still grappling with the ideas of personal privacy and online privacy is even newer to it.
India’s Online Privacy Laws are currently non-existent, while the IT act 2000 exists it only talks about cybercrimes and frauds in electronic commerce. A personal data protection (PDP) bill is currently being reviewed by the JPC (Junior Parliamentary Committee), the PDP bill 2018 & 2019 are largely based on General data protection (GDPR). This bill was based on a report, “A free and fair digital economy” by the J Srikrishna committees, Although according to a news article in Economics times dating 17th Feb 2022, this bill based on the sri-krishna report might be scraped due to it being “non-comprehensive” in an evolving digital landscape and does not address everything. A Non-personal data bill is currently under consideration and is based on the “Report by Committee of Experts on Non-Personal Data Governance Framework”, a report by Kris Gopalakrishnan Committee.
The PDP bill tries to provide a regulatory framework, the objective of PDP is to protect personal data from a personal privacy perspective. PDP bill 2019 defines various classes of data:
- Personal Data
- Personal Sensitive Data
- Critical Personal Data
- Anonymised Data
- De-identified Data Personal data is data with which you can be identified, Personal data becomes increasingly identifiable the more data you add to it. Sensitive personal data (medical data, sexual preferences, biometric data) where in higher care needs to be taken care when it comes to this data. It mentions the scope of the bill including who its applicable to.
Additionally the privacy principles are defined which are (akin to GDPR and FTC privacy policies),
- Notice and consent,
- Purpose Limitation,
- Use Limitation,
- Data Minimisation,
- Retention Limitation.
The PDP is focused of giving data rights to the user. These are
- Right to access and confirmation,
- Right to correction and erasure,
- Right to data portability and
- Right to be forgotten.
One final aspect of the PDP is around data localisation, since international companies are storing data out of the jurisdiction of the country, and this presents an “access” issue for the government. Hence this aspect mandates that certain aspects of the data be stored in the country, toned down in 2019 draft. And other provisions around children’s data and the liabilities that an entity is subjected to in case of not obeying these, provisions around data breaches and finally the establishment of a data protection authority.
Non personal data report by kris Gopalakrishnan tries to define an enabling framework around a certain tranche of data which is different from personal data which companies can benefit from. This bill tries to unlock the value inherent in non-personal data and this framework is only being explored in India. Non personal data is defined as data which cannot be used to identify anyone or has been anonymized as under the PDP bill.
Rights over NPD include,
- Right to economic benefit
- Right to redress against any harm: Suffered as a result of the sharing of non-personal data about a community.
It also defines the various parties involved and their scopes, like data businesses which are entities that handle non personal data and data trustees are defined as data business that create and share high value datasets (HVDs) on behalf of the communities they represent.
Having written this, I think everyone should read the “The Right to Privacy” by Louis Brandeis and Samuel Warren to get some perspectives around privacy and although we have come far from the context that the original intention of the article, the essence and what it tried to impart about privacy remains the same and is a good foundation for anyone into privacy.